HackerOne: Session Management

2013-11-07T17:19:36
ID H1:288
Type hackerone
Reporter javidhussain21
Modified 2014-04-19T20:59:20

Description

Hackerone fails to expire the session cookie from the server side even when the user logs off upon clicking "Sign-Out" from the application. The cookie is cleared from the client side (browser), but is not cleared from the server side. If reused, it provides access to the user's account. Upon logging in again, a new session cookie is created, but the old session cookies still stay active on the server side. Therefore, any session cookie can be reused to gain access to the user's account.